Holy hell, that is Torked up Bad. Domain Policy to give that far reaching right, that basically lets anyone that hacks that service root the system. Joy Joy, I am sure that is not going to pass a security review. Id love to know what RDBMS is using that nonsense.
Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 29, 2008 10:48 AM To: NT System Admin Issues Subject: RE: "Act as part of operating system" I figured it out... No idea why this company's DB engine requires this right. As this is running on a "server", the machine was in a "server" AD group. The ability to add local users or groups to the list of "act as part..." is defined in the domain security policy for "servers". SO, once I get this fixed, that machine does NOT go back into that group. Thanks! -------------------------------------- Richard McClary, Systems Administrator ASPCA Knowledge Management 1717 S Philo Rd, Ste 36, Urbana, IL 61802 217-337-9761 http://www.aspca.org "Ziots, Edward" <[EMAIL PROTECTED]> wrote on 04/29/2008 07:35:00 AM: > What does Gpresults /V /Scope Computer tell you? (This will tell you > GPO's applied to computer settings) > > Also what type of database needs Act as Part of Operating System. (SQL > 2000/2005 does not need these rights, nor should they be granted) > > Z > > Edward E. Ziots > Network Engineer > Lifespan Organization > MCSE,MCSA,MCP,Security+,Network+,CCA > Phone: 401-639-3505 > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, April 29, 2008 8:19 AM > To: NT System Admin Issues > Subject: "Act as part of operating system" > > I have a medical substance index (expensive subscription) that broke... > > Windows2003 domain, Windows2003 database server. > > The database engine needs it's user to be able to act as part of the > operating system... > > In the Local Security Policy, this icon for that item looks like 3 > towers > rather than a sheet of binary paper. When I open this policy, the > ability > to add or remove users or groups is grayed-out. > > This may be some setting pushed out by the domain controllers, but I > can't > find anything approprate in the domain security policies. > > ????? > -------------------------------------- > Richard McClary, Systems Administrator > ASPCA Knowledge Management > 1717 S Philo Rd, Ste 36, Urbana, IL 61802 > 217-337-9761 > http://www.aspca.org > > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ > > ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ > ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
